AT&T published a cyber breach response playbook for CEOs.

In a comprehensive top level guide it touches on response team structures, different company types from passive to progressive, immediate actions and how to communicate.

We’ve extracted some findings:

The report says: Most organizations have invested in a variety of tools, processes, and personnel to help protect sensitive systems and data against these threats. But given the sheer volume of attacks, it’s highly likely that one or more will penetrate your defenses. This is why, in addition to threat prevention and detection, you must invest in a comprehensive incident response plan.

A cross-functional team. Because of the business implications of a successful cyberattack, post-breach response is often an all-hands-on-deck affair involving the C-suite, IT, security, legal, communications, and other teams across the organization. AT&T and other service and technology partners also play a role, as do law enforcement agencies, regulators, and, of course, customers.

att-incident-response-pic3Let’s be clear: Incident response can make or break your business. Some companies have tallied losses in the tens and even hundreds of millions of dollars after suffering severe breaches. In those cases, the CEO, CIO, or other executives may ultimately take the fall. This report, based on our internal practices, our Global Cybersecurity Readiness survey, and the work we’ve done with customers, is intended to help you avoid that doomsday scenario.

Next: The AT&T/IDC Global Cybersecurity Readiness survey identifies four levels of security preparedness:

What are the four levels of preparedness (different types of company)

Progressive. This is the highest level of security readiness, in which C-level executives pay close attention to security and invest in a holistic, comprehensive prevention and response strategy.

Proactive.Companies with above-average levels of security readiness realize the importance of IT security and have put in place basic steps to avoid breaches.

att-incident-response-pic1Reactive. At companies with below average levels of security readiness, C-level executives pay moderate-to-little attention to security while delegating security expertise and day-to-day management to IT.

Passive. The least-prepared organizations are run by executives who take a hands off stance. They tend to be unaware of most breaches and reactive in response to breaches they do detect.

 

Next: What do progressive companies look like

What do progressive companies look like?

Pragmatic: C-level executives at progressive companies understand they are targets of breaches. That mindset enables them to take a more pragmatic approach to incident planning and response. For example, many progressive companies use technologies to sharply reduce the value of compromised data to hackers.

Comprehensive: Progressive companies are more likely to focus as much on readiness assessments and diagnosis planning as they do on post-breach diagnosis and response (74% for progressive organizations versus 16% of passive companies).

att-incident-response-playbook2No two cyber attacks or data breaches are identical, nor are the ways in which companies first become aware that something’s wrong. Small attacks or probes may be automatically detected and countered, or quickly contained by a company’s security team. The seriousness of a breach may be immediately apparent, or its scope and damage may only emerge over time. But whether a major breach is only suspected or actually confirmed, the company’s incident response plan comes into play.

Next: Proper, correct, timely communication is vital..

 

In the wake of the massive Sony hack in November 2014, Sony made several missteps in its public communications. Initially, the company released a vague statement about investigating an “IT matter,” then characterized the breach as a “system disruption.”

As the hackers leaked more and more information, executives were put on the defensive about the sensitive content being released. Sony’s outside counsel sent cease-and-desist letters to the media in an attempt to keep them from publishing the leaked documents — a tactic that was viewed as desperate and defensive. In an attempt to contain its scope, Sony took far too long to acknowledge the breach and focus on how it was fixing the problem. One overriding communications strategy is to focus less on the damage to your company and more on the steps you’re taking to protect your customers.

Activate your incident response plan

  • Remove or isolate the infection
  • Assess legal implications
  • Determine root cause
  • Define critical business impact

Read the full playbook